Ramblr: Making Reassembly Great Again

Static binary rewriting has many important applications in reverse engineering, such as patching, code reuse, and instrumentation. Binary reassembling is an efficient solution for static binary rewriting. While there has been a proposed solution to the reassembly of binaries, an evaluation on a realworld binary dataset shows that it suffers from some problems that lead to breaking binaries. Those problems include incorrect symbolization of immediates, failure in identifying symbolizable constants, lack of pointer safety checks, and other issues. Failure in addressing those problems makes the existing approach unsuitable for real-world binaries, especially those compiled with optimizations enabled. In this paper, we present a new systematic approach for binary reassembling. Our new approach is implemented in a tool called Ramblr. We evaluate Ramblr on 106 real-world programs on Linux x86 and x86-64, and 143 programs collected from the Cyber Grand Challenge Qualification Event. All programs are compiled to binaries with a set of different compilation flags in order to cover as many real-world scenarios as possible. Ramblr successfully reassembles most of the binaries, which is an improvement over the state-of-the-art approach. It should be noted that our reassembling procedure yields no execution overhead and no size expansion.

[1]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[2]  David Brumley,et al.  Blanket Execution: Dynamic Similarity Testing for Program Binaries and Components , 2014, USENIX Security Symposium.

[3]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[4]  Dinghao Wu,et al.  Reassembleable Disassembling , 2015, USENIX Security Symposium.

[5]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[6]  Lorenzo Martignoni,et al.  N-version disassembly: differential testing of x86 disassemblers , 2010, ISSTA '10.

[7]  Angelos D. Keromytis,et al.  Retrofitting Security in COTS Software with Binary Rewriting , 2011, SEC.

[8]  Heng Yin,et al.  Binary Code Continent: Finer-Grained Control Flow Integrity for Stripped Binaries , 2015, ACSAC 2015.

[9]  Johannes Kinder,et al.  Static Analysis of x86 Executables , 2010 .

[10]  Xiangyu Zhang,et al.  Obfuscation resilient binary code reuse through trace-oriented programming , 2013, CCS.

[11]  Barton P. Miller,et al.  Anywhere, any-time binary instrumentation , 2011, PASTE '11.

[12]  Kevin W. Hamlen,et al.  Securing untrusted code via compiler-agnostic binary rewriting , 2012, ACSAC '12.

[13]  Bart Demoen,et al.  On the Static Analysis of Indirect Control Transfers in Binaries , 2000, PDPTA.

[14]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[15]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[16]  R. Nigel Horspool,et al.  An Approach to the Problem of Detranslation of Computer Programs , 1980, Comput. J..

[17]  Barton P. Miller,et al.  Practical analysis of stripped binary code , 2005, CARN.

[18]  Xi Chen,et al.  An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries , 2016, USENIX Security Symposium.

[19]  Derek Bruening,et al.  Efficient, transparent, and comprehensive runtime code manipulation , 2004 .

[20]  Thomas W. Reps,et al.  Improved Memory-Access Analysis for x86 Executables , 2008, CC.

[21]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[22]  Rajeev Barua,et al.  Static binary rewriting without supplemental information: Overcoming the tradeoff between coverage and correctness , 2013, 2013 20th Working Conference on Reverse Engineering (WCRE).